I see your point but I think it is being blown out of proportion.I think you are missing the real issue here. Yes it's a PITA to change our passwords but that's just what we have to do when your server gets hacked. All we can do is ask that you improve your security so that your server does not get hacked again.
My problem is your new requirement for very strong passwords that expire every year. Yes, that is one way of ensuring that we, as users, do not reuse passwords between different sites but it really does not address the problem of bad server security. If your servers get hacked again, the strength of our passwords is unimportant. We will have to change our passwords again because you can't assume passwords are good enough after a hack, you just have to change them. Our strong passwords will not prevent us from having to change passwords. Our strong passwords will not prevent your servers from getting hacked.
All strong passwords will achieve is that we will be inconvenienced by having to remember the new password. Strong passwords will also prevent us from reusing passwords. That's a nice goal but you are not my mother. I don't need you to tell me what passwords I can or cannot reuse. I have a simple method of creating and remembering simple passwords for all my low priority sites. Your new rules prevent me from using that method, and even if it did not, it will expire in a year. I have a different method of remembering all my high priority passwords and this site does not merit being included with all my high priority sites.
Essentially you have just demanded that I treat MR2OC as if it was as important as BankOfAmerica. It is just not that important and your new rules are an annoyance I do not want.
The new rules are just a show intended to distract us from the real issue of whether your server security is strong or not.
This whole issue has nothing to do with our server security. A third party plugin got hacked and got limited access to some info for our sites and thousands of others. We got stuck cleaning up the mess and have legal and authorities on it.
The time you have posting all this is more than the time you will spend for the next few years updating a password with a few extra characters once a year.
Using (Passw0rd1234#!) versus using (Password1234) should not be that big of a deal, use Google Chrome password manager and you will be fine, I have 700+ passwords in it.